Closed viccross closed 1 year ago
Updated cert generation code added the key usage and extended key usage fields from an example -- so it is not a change in SSL support, it's simply that a new version of the certificate was made which is actually broken.
An updated certificate is in testing (on Vic's Feb 13 demo rig); the process that made the incorrect certificate has had the additional "keyEncipherment" field added.
I have built a script based on expect
and s3270
. The script does the following:
/etc/ldap/
I feel like it is very fragile however, since it is proving very difficult to reliably script against CMS over TN3270. Paul suggested GSKit on Linux, which I had looked for in the past but not been able to find. I just found it, however. There may be command-line options and/or alternative commands available in the GSKit package for Linux compared to CMS, which would make the process less fragile and more maintainable.
Tried to log on to OCP console hosted on our 7.3, and it failed. Looking at the LDAPSRV console I see:
The same Ansible
openssl_csr
code is used to generate key/CSR/cert.There seems to be an update to the SSL support in z/VM 7.3. On 7.2,
gskkyman
does not report any keyUsage fields, but on 7.3 it does. According to this support page, the certificate needs "keyEncipherment" enabled in keyUsage.